I just had a request to do with auditing activity in the FIM Portal, and as the solution was quite neat and easy to implement I thought I’d share it.
The security team need to archive information about who makes changes in AD and other applications, and now they need to be able to audit the FIM Portal too. While you can search the Requests history in the Portal, by default it only keeps 3 months worth, and this customer needs 7 years.
I had already been dumping the requests historyÂ to a SQL table but I had nothing about who approved the requests. However before I could rethink my sql scripts the guy said “Actually is there any way we could have it by email? We’re already well set up for archiving and searching emails.” So this is how I managed to satisfy their audit requirementsÂ using justÂ the standard Notification activity.
Archive all RequestsÂ that change Person objects
First I need an email template that reports the essential information about the request.
|Subject||IAM Portal Request [//Request/ObjectID]|
<html> <p> RequestID: [//Request/ObjectID]</p>
<p>Requestor: [//Requestor/DisplayName] ([//Requestor/Email])</p>
<p>Target: [//Target/DisplayName] ([//Target/Email])</p>
<p>Request submitted on: [//Request/CreatedTime] (GMT)</p> <p>Request details:</p> <p> <table style="width: 80%"> <tr class="HeadingStyle"> <td>Attribute</td> <td>Old Value</td> <td>New Value</td> </tr> [//RequestParameter/AllChangesAuthorizationTable] </table> </p> <p>Possible Approvers: [//Request/ComputedActor]</p> </html>
Next I create a workflow that uses the email template to send a notification to the archiving mailbox.
I also created a Set called “All Portal Users” which excludes the Built-In Sync Account and a couple of other service accounts. This will allow me to just send emails based on changes made by actual people.
And finally I create an MPR:
- Type = Request
- Requestors = “All Portal Users
- Operation = All
- Grants Permission = False
- Target Resources = “All People”
- Action WF = The notification activity I just created.
This now sends an email to the archiving mailbox whenever a user makes a change to themselves or another person in the FIM Portal.
This particular implementation of FIM relies heavily on approvals. Approval requests may be sent to multiple people but only one need approve, therefore it is important that Â the approver also be captured.
I can’t get all the info about request and approval in one email as not all requests have approvals, and there’s no link to the Approval Response from the person object. But the customer is happy with the two emails, and this email about Approvals cites the resource ID of the Request, so they have a way of linking the two.
Here’s the Email Template:
|Subject||IAM Portal Approval for Request [//Target/Approval/Request/ObjectID]|
<html> <p>RequestID: [//Target/Approval/Request/ObjectID]</p> <p>Approver: [//Target/Creator/DisplayName] </p> <p>Approval Time: [//Target/CreatedTime] (GMT)</p> <p>Approval Response: [//Target/Decision]</p> </html>
Again the Workflow is just a simple notification using the template.
I created a set called “All Approved Approval Responses”. You could use the existing “All Approval Responses” set if you wanted to archive rejections as well, but here we only wanted to archive successful requests.
The rule for the Set is “All approval response where Decision = ‘Approved'”
Finally I created the MPR as follows:
- Type = Set Transition
- Transition In Set = “All Approved Approval Responses”
- Action Workflow = the notification workflow just created.
Emails are now sent to the archiving mailbox whenever an approval completes with an “Approved” status.